Download
using the myproxy online credential repository n.
Skip this Video
Loading SlideShow in 5 Seconds..
Using the MyProxy Online Credential Repository PowerPoint Presentation
Download Presentation
Using the MyProxy Online Credential Repository

Using the MyProxy Online Credential Repository

171 Vues Download Presentation
Télécharger la présentation

Using the MyProxy Online Credential Repository

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Using the MyProxy Online Credential Repository Jim BasneyNational Center for Supercomputing ApplicationsUniversity of Illinoisjbasney@ncsa.uiuc.edu

  2. What is MyProxy? • Independent Globus Toolkit add-on since 2000 • To be included in Globus Toolkit 4.0 • A service for securing private keys • Keys stored encrypted with user-chosen password • Keys never leave the MyProxy server • A service for retrieving proxy credentials • A commonly-used service for grid portal security • Integrated with OGCE, GridSphere, and GridPort http://myproxy.ncsa.uiuc.edu/

  3. PKI Overview • Public Key Cryptography • Sign with private key, verify signature with public key • Encrypt with public key, decrypt with private key • Key Distribution • Who does a public key belong to? • Certification Authority (CA) verifies user’s identity and signs certificate • Certificate is a document that binds the user’s identity to a public key • Authentication • Signature [ h ( random, … ) ] Issuer: CA Subject: CA signs Issuer: CA Subject: Jim http://myproxy.ncsa.uiuc.edu/

  4. CA User Proxy Credentials • RFC 3820: Proxy Certificate Profile • Associate a new private key and certificate with existing credentials • Short-lived, unencrypted credentials for multiple authentications in a session • Restricted lifetime in certificate limits vulnerability of unencrypted key • Credential delegation (forwarding) without transferring private keys signs signs Proxy A signs Proxy B http://myproxy.ncsa.uiuc.edu/

  5. Proxy Delegation Delegator Delegatee 1 2 Generate new key pair Proxy certificate request 3 Sign new proxy certificate 4 Proxy Proxy Proxy http://myproxy.ncsa.uiuc.edu/

  6. MyProxy System Architecture MyProxy client Store proxy MyProxy server Retrieve proxy Proxy delegation over private TLS channel Credentialrepository http://myproxy.ncsa.uiuc.edu/

  7. MyProxy: Credential Mobility Obtain certificate tg-login.ncsa.teragrid.org ca.ncsa.uiuc.edu Store proxy myproxy.teragrid.org tg-login.caltech.teragrid.org Retrieve proxy tg-login.sdsc.teragrid.org tg-login.uc.teragrid.org http://myproxy.ncsa.uiuc.edu/

  8. MyProxy and Grid Portals MyProxy server Portal Fetch proxy Login GridFTP server Access data http://myproxy.ncsa.uiuc.edu/

  9. MyProxy: User Registration Registration portal Certificate authority Obtain usercertificate Request account Set username/password Load user’s credentials Gridportal Retrieve proxy MyProxy server Login with username/password ESG PURSE: Portal-based User Registration Service http://myproxy.ncsa.uiuc.edu/

  10. Keys encrypted with user-chosen passwords Server enforces password quality Passwords are not stored Dedicated server less vulnerable than desktop and general-purpose systems Professionally managed, monitored, locked down Users retrieve short-lived credentials Generating new proxy keys for every session All server operations logged to syslog Caveat: Private key database is an attack target Compare with status quo MyProxy Security http://myproxy.ncsa.uiuc.edu/

  11. Hardware-Secured MyProxy M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. • Protect keys in tamper-resistant cryptographic hardware MyProxy Server IBM 4758 Proxy request Retrieve proxy Proxy certificate http://myproxy.ncsa.uiuc.edu/

  12. GlobusWORLD 2003 Flashback http://myproxy.ncsa.uiuc.edu/

  13. Long-lived jobs or services need credentials Task lifetime is difficult to predict Don’t want to delegate long-lived credentials Fear of compromise Instead, renew credentials as needed during the job’s lifetime Renewal service provides a single point of monitoring and control Renewal policy can be modified at any time Disable renewals if compromise is detected or suspected Disable renewals when jobs complete Credential Renewal http://myproxy.ncsa.uiuc.edu/

  14. MyProxy: Credential Renewal Globus gatekeeper Condor-G Submit job Submit job Refresh proxy MyProxy server Fetch proxy http://myproxy.ncsa.uiuc.edu/

  15. MyProxy Installation (Unix) • Included in GT 4.0 • As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz <flavor> • Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu • Set Globus Toolkit environment $ . $GLOBUS_LOCATION/etc/globus-user-env.sh • Client installation/configuration complete! http://myproxy.ncsa.uiuc.edu/

  16. MyProxy CoG Clients • Commodity Grid (CoG) Kits • Provide portable (Java and Python) MyProxy client tools & APIs • Windows support • For more information: • http://www.cogkit.org/ http://myproxy.ncsa.uiuc.edu/

  17. MyProxy Commands • myproxy-init: store proxy • myproxy-get-delegation: retrieve proxy • myproxy-info: query stored credentials • myproxy-destroy: remove credential • myproxy-change-pass-phrase: change password encrypting private key http://myproxy.ncsa.uiuc.edu/

  18. MyProxy Server Administration • Install server certificate and CA certificate(s) • Configure /etc/myproxy-server.config policy • Template provided with examples • Optionally: • Configure password quality enforcement • Install cron script to delete expired credentials • Install boot script and start server • Example boot script provided • Use myproxy-admin commands to manage server • Reset passwords, query repository, lock credentials http://myproxy.ncsa.uiuc.edu/

  19. MyProxy Server Policies • Who can store credentials? • Restrict to specific users or CAs • Restrict to administrator only • Who can retrieve credentials? • Allow anyone with correct password • Allow only trusted services / portals • Maximum lifetime of retrieved credentials server-wide and per-credential http://myproxy.ncsa.uiuc.edu/

  20. MyProxy and SASL • MyProxy supports additional authentication mechanisms via SASL (RFC 2222) • One Time Passwords (SASL PLAIN with PAM) • Protect against stolen passwords • Hardware token generates OTP • Authenticate with OTP plus MyProxy password • Tested with CryptoCard tokens • Kerberos (SASL GSSAPI) • Authenticate with Kerberos ticket plus MyProxy password http://myproxy.ncsa.uiuc.edu/

  21. Related Work • GT4 Delegation Service • Protocol based on WS-Trust and WSRF • SACRED (RFC 3767) Credential Repository • http://sacred.sf.net/ • Kerberized Online CA (KX.509/KCA) • Kerberos -> PKI • PKINIT for Heimdal Kerberos • PKI -> Kerberos http://myproxy.ncsa.uiuc.edu/

  22. GridLogon • Work in progress • Inspired by Peter Gutmann’s PKIBoot • “Plug-and-Play PKI: A PKI your Mother can Use” • Password-based authentication to initialize user’s security environment • Install identity/attribute/authorization credentials • Install CA certificates and CRLs • Install additional security configurations http://myproxy.ncsa.uiuc.edu/

  23. MyProxy Community • myproxy-users@ncsa.uiuc.edu mailing list • Bug tracking: http://bugzilla.ncsa.uiuc.edu/ • Anonymous CVS access :pserver:anonymous@cvs.ncsa.uiuc.edu:/CVS/myproxy • Contributions welcome! • Feature requests, bug reports, patches, etc. http://myproxy.ncsa.uiuc.edu/

  24. Thank you! Questions/Comments? Contact:jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/